5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109.exe
Size

1.6MB
MD5

2338ae80dec4a5c24d222d7f6349f4eb
SHA1

ea375370d82948b25b4c8d78fce1c578f18af51f
SHA256

5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109
SHA512

39ecfd8ff5bbac59cf8eee89b918fa060c55053c9d281febae4ca333e9bddb8c8007e03c8f9ac517fa0aec5322b5ebe55a858df9a0211de402b83ec2bb778a7e
SSDEEP

24576:Y49BZ8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:YYZgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3612	alg.exe
3300	elevation_service.exe
1996	elevation_service.exe
4472	maintenanceservice.exe
4612	OSE.EXE
4352	DiagnosticsHub.StandardCollector.Service.exe
2612	fxssvc.exe
4840	msdtc.exe
2452	PerceptionSimulationService.exe
4868	perfhost.exe
4892	locator.exe
3020	SensorDataService.exe
1396	snmptrap.exe
5116	spectrum.exe
2220	ssh-agent.exe
4928	TieringEngineService.exe
3952	AgentService.exe
2404	vds.exe
3832	vssvc.exe
4696	wbengine.exe
1036	WmiApSrv.exe
1648	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\79d0c7427c1fafa7.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14476686-4332-4254-AEFA-4A0555D6C96A}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b6adec21451da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d9769c21451da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077c051c21451da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbf96bc21451da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007295a7c21451da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075509c31451da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3300	elevation_service.exe
3300	elevation_service.exe
3300	elevation_service.exe
3300	elevation_service.exe
3300	elevation_service.exe
3300	elevation_service.exe
3300	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4148	5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeDebugPrivilege	3612	alg.exe
Token: SeTakeOwnershipPrivilege	3300	elevation_service.exe
Token: SeAuditPrivilege	2612	fxssvc.exe
Token: SeRestorePrivilege	4928	TieringEngineService.exe
Token: SeManageVolumePrivilege	4928	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3952	AgentService.exe
Token: SeBackupPrivilege	3832	vssvc.exe
Token: SeRestorePrivilege	3832	vssvc.exe
Token: SeAuditPrivilege	3832	vssvc.exe
Token: SeBackupPrivilege	4696	wbengine.exe
Token: SeRestorePrivilege	4696	wbengine.exe
Token: SeSecurityPrivilege	4696	wbengine.exe
Token: 33	1648	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1648	SearchIndexer.exe
Token: SeDebugPrivilege	3300	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3040	1648	SearchIndexer.exe	114
PID 1648 wrote to memory of 3040	1648	SearchIndexer.exe	114
PID 1648 wrote to memory of 4960	1648	SearchIndexer.exe	115
PID 1648 wrote to memory of 4960	1648	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109.exe
"C:\Users\Admin\AppData\Local\Temp\5af69a39beef3ee65cc6a89e948f0c66d3e3fa5a16c23fc01466746e1274f109.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4840

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
1⤵
- Modifies data under HKEY_USERS
PID:3040

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
1⤵
- Modifies data under HKEY_USERS
PID:4960

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
217905074d079b6aee88d8a7536a6d08

SHA1
84b1bd8708e65bee2c51e8aba6e2fc66ef218f77

SHA256
e9f6cf26139946fa77d4c2e47995e402b1ecd1e6aa075314b5016c740c9ae5e8

SHA512
06f3455b26a500fe44e144270cf80de331150e0e3eaca8e966a44d77ddb11761f6628b960f918b095964fab847daff8122d9cc017e67fa88a307004ccfa6c443

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
498KB

MD5
e737a619f41922977cb2be976ff628c9

SHA1
5d9ec32cf368d9da875e660a53a2e189db26674a

SHA256
2ef5594f3af1229067c0d2cac6d54abba2d0ab4c01f8dc624770390e36ba7a73

SHA512
a6f750db72b83564d4e88fe633b5cde5fdc58f9b120c7426d62230f805f70081dbff08b1137e41c3aaf06c3b7b257929035c082a9e3777798ea9dd6f3e176862

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
fb17a5291801c681c4a357bc77b0eb37

SHA1
d98d36b2af54cc1fa455670002f3c1d7e7346921

SHA256
61aae41a04f17a1e040978ddf32964ea940761f5fbb60369b602a55aa1ffed7f

SHA512
0a57bdee41995c7f7624deb809502552205460164e2b31ae0da1965c4e2cd9429d50590baa7d182dda78f97c7c4bde61998f73aa043ffd5cc4ca4856505b4de8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
80KB

MD5
ebb53d20bb65c4211064d4ad125a1157

SHA1
033dd6b406d1885f4a6c70864a6caa56b626c42a

SHA256
f555ed31d1595746cdc547fecdb7786adad889ffe0ea58ed5303d300e060c92c

SHA512
355873d96ca4340740795c3021a6b30016ff798eb70663fbfbce782957e0fad53bc423fd8069a64f9528a81e08052385fe8b6916b6d88614b50886b4321fa936

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
186KB

MD5
943563adbed61386a40547b6fbc73e81

SHA1
3dae63c55c6d756bc1c5cc83a720463f3a2aa575

SHA256
680ac270dcc5d57f328b8c0ff8c71a4e140eb0563c1ff4e957f3185af886fe0f

SHA512
fc646ba9c677fcce2a8bceac747383af5d55682d9f2612495278933386dd4404e7ccb9480c9578b9651e7b5cca63a40a4a4d71bc2180e70dd48dac46b70f564b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
270KB

MD5
a5b72ce2ed1f6c90f4378522fb4a5a2a

SHA1
49a8368279da5bcec084cc6444f5ffb998d96925

SHA256
588197e1e8a9b5101cc36634d73e72e017373815165125f74eee65308b91c14b

SHA512
9ef4d4d8d7e6affd1a14f8652d83de17b211e05c423cdac415d53ced4426a1cfdca952caee54a2df630ad20e5452b2e54278f1826ec7e7f026fbf196ec44a2a3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
156KB

MD5
4b2abebbe34be45ae8cf266dfc559e17

SHA1
0f6f4ce7f00c4f29c05a5986a129b4c72c6b256a

SHA256
493f510c909fa11da2f214f3782c440a7a01e185e3d9891cc6fd2b5c89720e5e

SHA512
0c8bbbf717e908e32ac2987fd10ee91e46697dfb089d2d925b766a1f315c1a91b314324dd499ead450180b97e0664866bb762fef5d4bc17d8dbb3b3dbaaa9875

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
59KB

MD5
fba892ed3fd50b2b85a507e1f2db09bd

SHA1
609383ca209dfbe4683751fe8d0674442d8f690a

SHA256
70b01b40d7813ece183fbf0ea16879aee902362e2bcd73c98dc37f071b60039d

SHA512
71ad625223d986a2ebb7a3419b8970d4697aec46e8f8e5a49439d8b501b589146fcb4dbcaad332b881a2a80b8857b2f630be1a907c90c4180dbce4b215f08afc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
178KB

MD5
ffa70c8ed2be023a504f8008243ce13d

SHA1
00789b1246575b90455c63a8033bf16728a4ab5a

SHA256
6bb5d873f4434dfdc1dc5e710d6ce2ea1e1ed53640f737b65af84d42431afa87

SHA512
de82d88c4dc7aa5e8b4ca09b80d783a1e92025d1a3f86f029cde7e54430ed1cd8c57a23a9c355b892136d4dc8cc6f7a8dab3d7d2d6f3b9d5f2d8c934727a6640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
24KB

MD5
66700284539b32d9a5f8522ae162ae60

SHA1
ae04f3bc6f3161543625a55fe948d8ad4831e520

SHA256
ef85729ebf31da725df6bfe2bb249c0fc4a4909599b02322142d871391ee6aa8

SHA512
3b291b947528954ccea4408a618170a8d9762e471c1fa9ab1ff531b63795fac06428ebe1949623f9431d80d15c840d636416a2761bce703bbbe7d1e3d2b7a717

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
43KB

MD5
8cefc07aac89b0c1622bb2e03008c398

SHA1
e60578723e6988919e8ea04615426d94078075fd

SHA256
34808223a4a196f7b4ff06a9d893d4a60ac297c35d54fc69a86e4f9f23adfcd8

SHA512
1c8d9c8431d54f461f0914ae6918097d49f510a0b5e4072dd4f56b45a8f784c4de8de957c63986671bf64091e71e286c99e75ca8c36bc972814ada80319b04f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
92KB

MD5
d5fe517eae13d8a33788a16ccb54759a

SHA1
4109ccca90ee0967514631b589b450a16da664eb

SHA256
2dbffca49bcb58ac3ec80e83db5155d29b3b31416bd33c8d64fe846adb35f5be

SHA512
ec99e941d09d4015b678bf6e78b65632fbe5e31e8333c24dc0b2bae5762a5a881a9d0acc9a3f86e8f756094ae1d834846dac8b2a23769e04d4115d8a9f50c16e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1KB

MD5
7abfa620b0fb7d53195cc8dfa0f59a2d

SHA1
4fd591d614f0409ab08cfb21c06901559584ccba

SHA256
d617e97aec488ece177d97631c801b31c677670b65ff159653e4934eb8cc2fb8

SHA512
ac3c8886a6217aca8d9b3da7c6c2d56001c7e3cc3a31d502cf824194b145580c37a577979ac8259c9893664a4ce7bb6503dfe79dde1bc29d9233c69a191e344f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
da65118ce2c4a703500f8333ea44b78b

SHA1
7858f3d44749108382bca429517916f6406cf4c6

SHA256
5215794c738775bcf78969fdc96097537607a6c1384c1de459afc0417325eed2

SHA512
c44b21d98ac8f21c1311de607dc81b7510530ef72cc4c195ec2545ccb54e9dd76a67c0838b9b5fde2a4e284f6fcf6b31eca8d649886fac8d79e93ff72d8f6de4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
259KB

MD5
133b46be1609207ecf925b656f6ddc29

SHA1
dd272a6c289212cb3c3d7256f83c86affc0a2b14

SHA256
5b3010e338ff8197e1916139687141cfeb276f567368fa8f8258466e8a6a34c4

SHA512
fcfa8785540bb698c5370000fe82ddee21356efa5b47324270b39605194f7da7b281b088dfbb45434d9885bebeb7e2558f8cba480d51178bc9004f4ac87a98a0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
92KB

MD5
ea08a78d8d7cd28f489456e2767d2813

SHA1
5efd166969d04c9fd535c6139f7d158b11e05b98

SHA256
1c09c03f63ca762cd1fe520e6a29d17319140042a56532ab2eb0353af22071ba

SHA512
b326ce85b99570b2a7fcf036c6c731330c4c66d63ec17d7fee23412e00fad368f02792ddb00f153ef17095ed0f6ab5fb46088b11f8f5de05fd8ba4e7dbf47c39

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
157KB

MD5
16c9275a229e0c2e4f57379ee8ca2f51

SHA1
906153c64440a14faa1a8d8cd448af11022e0a4a

SHA256
59e39a33472564d5725f8e9ca230939f29cd0435c58580e52482c0f56af36527

SHA512
29d30ebc082e4458ffe3a4a38168d4007381def59dd7d5e6a9eca4a8d222c9a03f6713b8a3a05958944febb67e26e978daf660dac6f7c9de4f9978959eae776e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
123KB

MD5
8b9ed4fdf970485d9b15d7f2d5315809

SHA1
8edb5df329569eaab3a8e9cc151a58fa92646bad

SHA256
23e354cf2c8d75424558ac81890cad62e5019bb6b017d733f46ce05b2ec8333b

SHA512
619691b40124594c7d36a72e079f7b1a6f3d0354dd065c7ec6be9d664125fda0b89dffdbc92ce2ddf5b7d8e2875bb58ea5612505bdd1d18a609f89b31c57732d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
e8df2a15af34d8660d3e81414b6d4421

SHA1
31086a03b14186d3a72ecdc0adfddff193c1e0cc

SHA256
8d5b9d3f343ac4816d14e8f427940776e372b2c82a14d4c3dbaeef6d63dd0086

SHA512
87aa85fcfbbb9f9d3da15d45f1a837c97fab96bfe67dab0bb2341e8f0e8cfe02793c817642c2205c01f7e3c4c8a40ce94ef2cc570139a94d95bdc728c2a47e14

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
124KB

MD5
a09e6730aa5490269b13ee0cf3570426

SHA1
8b582d0a804347c9a6664ac47cdad15f0549f0ef

SHA256
9db07be38587c05dcc0ae5f5ae4fa92938b47eb12db244067e9cdf4e255da60e

SHA512
fe743cd01e54117c13d9947cab1a3041862f78d5dca815525a18970aca066093da5b39d64056503e7bc91ac1de1295d22b42d457d039c957affd5149f064075b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
92KB

MD5
7f491190ead466bade02994b456cc524

SHA1
c1a69a674088b5c6077c65fa1f372bf0282d5970

SHA256
6fb6885926fbbe33ab3feac12c48c120a1e80cf87444abf191746b6323477dbe

SHA512
cf2ff784442d74e9d035d1ddf43361264c6709b4769f78be6ae3ca8f149473735837f02c53b325e33bd3a5c46bdd567421ba969cdd2a49d07658ce846b4a326a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
145KB

MD5
667793e1a429a347611e36af2edcc3bf

SHA1
10ed131d7b3ed917b7735c76ac6e1c86e8943107

SHA256
de7c8f1ca77c6e430132de587f00c5a8ef8749d5afc41f0a3e1ad4bfa94de92b

SHA512
a7a646eaa5c0c47aba8a225d9cf7dc8edfb774827cbd4c374e4fb51d3fd99f3d20e1165f08ff3a419e3100dd4ec953896088e47fa3a66eed244213a16e9c52e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
210KB

MD5
05b6481bbca1eb6f76c282337feaa489

SHA1
39ac73e6bd2bf86388ef1556699d464926430129

SHA256
f8ce087554ae8d8b0ce2fe86ee37bd73bba431433e35c1892a158b1eac9b6adb

SHA512
08213aef1e3d616c0161a862fc08676cb31bb3a68724698c35480b513ab35c5ac84ad960b79824ed8cf76d5e797fab153e892c182b501cd897e3f51cd9396cd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
48KB

MD5
691b422f0ed5f4c1634a2af516ef891c

SHA1
3ac447b3f756dc2198fef461d7e1a9bf593ec06d

SHA256
0777bc99a00a6a5e1c74dc5d990b52a908ad55223a362c67164e51f28aeae5ce

SHA512
a95c214a7b5289244e05fb571e42d2e012363e799205715dd39e6a788a772dbf0ef52cff949578ca11e9633ba5f98c979b4acae89073c0b61ae9c723a4be7a03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
91KB

MD5
eb54224f0021073125c7816d9e1a7799

SHA1
098d64c072b995f44672695039dc2a96c75b009a

SHA256
307a2370845fe561fc1517150709de112a59371a44eef2f6fe54dae3f1871533

SHA512
f94db3a0e632524aa272208b3237bd428820aaf5d325cbe182ddc679e521dde366174538a453b5a42668f390e71290f2ef3a81defa26be5e018b0d0689129de7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
33KB

MD5
234191ad28ef4b190e50f1b6fea8ba4a

SHA1
96554365240148b129e3b2f18a0430f0cd3fdc09

SHA256
b6c6ed869629b15788432e03ee5d91623ccd3c3d8fcd75cbd11755b1b5b82281

SHA512
a3366a7d305c9ef315320252066fc218170fc83cbd1041004cf6d356351a705f89a5483fc5f8221cf37552a426eda3018192ed55cdc83adcba2e8e39764f0599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
131KB

MD5
93be8ae6f4ff8ac252fe8dedf74a89f8

SHA1
8bce6a59a8f28bcd96444d1446e3f7919c6b4fed

SHA256
796356e6427be3d26c4de7fed4b14e6c09868f7326a9b92c233939d1b2784360

SHA512
7ae18bc3fc94f09dece1195ba823aa8d94bf6916b28eae2f7a7eef373c3c8ab206b594d3923af7924d89248d71b7a6ad423ec98a6b490d98d38541817c3ccb04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
173KB

MD5
ac67d222d2924cfb25e44b0efd68ec39

SHA1
9f5f1bc15dbf4ed8c046526e2575427e803f024c

SHA256
0cea757e94d7e352dea3ee6bd0559339ca46722f88d393b82815d35635ae2ee3

SHA512
ae50c3e938b5d4649d4300b101f70265a58816cb6caadbe9d0508f1b837b2d9564c6f2449b12a6f61a1e41b35ce94499034ed009df63c8626229d5b748c317b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
68KB

MD5
7b091feb55accd97d8809677ee52634a

SHA1
53dcf7b00de15f1ac8706dd0bdebded77158a3be

SHA256
6503ad42d6c0ba681b0d6f21774557f3d151d58c18eb312e1da47c05141ffa80

SHA512
46286292b7d1835bd4619d7797aa0ed7cfd8297bc1b582c2f6f03f15d75f9dc3923a1c62cf72c659d8c2d2afe7517f440d3bb92440f24af0721b1ac39fba031a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
33KB

MD5
c187df823c0c4ee3b64bf6cb0ebb2fe7

SHA1
c76657175e5ceec581a575ecc7e644ad2d5b336b

SHA256
f27a2bd407432a387d30f05a29377efe970976fc2071ee1ce4cb36007b096ebe

SHA512
9683efb1589a3ef7293f8d1d13f91899a59420aa547fd75930bdc300483c2e30a29bfc47707d86739aac4e031c9ed9243be3cbf2a4fb1e1d98b3a6934c5b0901

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1KB

MD5
3435b0a64ef3a9c4a879795ad7017953

SHA1
02c3976061b2a9d9ef8fd767187ce1df59055e3d

SHA256
2d7c06cbb033037d90e96e5982779fb20a1fd5e344ee21c1d3383535f1babaff

SHA512
5dcb2448c0ffa293c9c28b16f4cc7b2a55c765124cc5f542575e4af077b670dbf35878bea8884d4d421c8cf6c010c62446da7c12061714418819ceb7f35293c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
180KB

MD5
af8fc656d5c3d0ed5b55fd7ef53fa7d7

SHA1
0f6dd8a0a49ebf22022d6e7f2ba96b2ecd2a47f5

SHA256
fa464ed4cb1e6d32579d974533d55b993efa8fc546f0af32dcdfaca20bd2c738

SHA512
19df92eb9f765bc5c651dce73f56c2a2599ff5b4d247e3f9487536c22b732ff0b543fdc1fb39c3d6937bdbbb5e4916b407da5965da48e823f175b5acbf346e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1KB

MD5
e0e8d273e2f74b30109bf0213d9a124b

SHA1
fd635c4bde28260d7015f0fccd405e1f9a98e5d7

SHA256
08707db18e8d6c550afd5667aab82fd226fd5b00451d9adeb6ce04e7356f8afd

SHA512
2ce44cb77c868c843fbeca16534ed70c7a8938789a9acc2cebddf20e46b99b343df1a13310cf9102ccec743c1157c52433917aa27cf5977ac8088a88b09202be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
13KB

MD5
8fb500a1f3e3b9dbfe5e8c9eae8fefbd

SHA1
3f3d3b4464a56076228c56a64ec3bd5ded03af7c

SHA256
f17071077db164e5805b482b7d0e87fd53a4dd0b15ffc295d19216ad97ca2b0b

SHA512
8bd108255602a31d7a83644ca72f473430e9d2af6b56e6f4c783b4d03c68a4f608caf5cc1d09af77e1d0796b481773c69bbbf671a6b1ec5d340cc7d5007f0beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
126KB

MD5
4d8dec19b743929955f62cf8f0ac337a

SHA1
f4092bcf8336ab9c3803ca327f4e1e6749cb748e

SHA256
7bffb2cb1d6a576d40d32c77ebef3bf1b589d53746e0272a855e04c86d71b853

SHA512
2aaa36148795d233a91e206e60f97bdbd3e6a09946e91c02fa46559f60f1fdf77eceeebe3c9c98675718fa6be991474c7a6c56c446797380726f981d72e490d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
28KB

MD5
2b7e06b2f5fc87cdd8658f716a0a8e9c

SHA1
61ccd0553346ab57cb992b9918d1ab235c3911d8

SHA256
ca3c7c574fd3079d2fd3beba2efc86bcee1e3bf136cc77c23548cc9270295bec

SHA512
8af2f3f652791d349808c77635a6553408d73ebcd50b2b78586fee16fa64c7220ed8c84d09060042ff9e45ec5d2f24b53190411e1fb298e4561330d375a8b6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
55KB

MD5
c4e4ace1ddc63cc10ada5204ac85c693

SHA1
22abe1bca7fee0a07cf8a01889f0e5a016a30606

SHA256
c857502018797c3b275a3d7441cfdb119c855280c8a4d666b2418bb09adaf9b0

SHA512
2902aabfc85d3757a587974821eea44f81e4cdfa478cbd03c4613cf9c2e80e21745b74dcb8ba7b19968a8201c9e122fcceb18a5bb4e5065633b3c8d77fa9d7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1KB

MD5
8e902e839fa19bd5beea0a09440c935e

SHA1
75eb956c8a2c990582270525af8952fbf63801bb

SHA256
405f3021ea8ff3424d52762036764d0aff58b24338eb6d27904189887b7f8193

SHA512
886454abfd5aafcb628cac381823aaf8080618cfa5e38e035db832703b27508cc3edde26f177389edab41188b6f313a84c175a9a30744d86e50da5de01dffb5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
26KB

MD5
e2b440aef836ddb3b8d136a25c618cee

SHA1
5d37715f6bade0586c5377736211fea5e036f7d4

SHA256
dcf00cd69490099e1a0b5d7141ec00204ea92a3978ebe71becdecdb5ff21b6ae

SHA512
62d1c0987013d90506d1ed829bf994f2e1cfbf7334ea7d614ee306b05220e57fd99e1dab8f07b0f5c6fc0bd1033d21d209c3ecff26e9168a1215ee761c915229

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1KB

MD5
b8c071a6fa0794070d8ffc76823529ef

SHA1
28c14b3e48ed3d7e6b357ce05b0caf3c93290f80

SHA256
4011c16538bf0b7776f7262ded33b3b75d8f07dbdcba111b60c2dfdef04f5e7e

SHA512
b19320ee3ff67d0fd4cb405dfc2ad1b081e23221572cc8917ed45544962a113d15d86a8da362dd48f773cfc6d7b70d7fe8b3b5778e2ff419da48063a34ed0e80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
14KB

MD5
b4ff55139f9d69c903cbe023111058eb

SHA1
a120d99213f587e5ef3c733b4ee2ed61043216b0

SHA256
7d6213a2e245f94356176576ab01e93801090dfa7b3b1c28cc09ad003f1ad6c9

SHA512
16789abba0fe9b65ca09a8315c722091a7331ec208939ee4b10b4346369a1ded1172b8f0eb873e18c14447fd18a48a85acd1b5836545220f15d455292e857372

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
135KB

MD5
8e3268fb03fd0d320357182d8e33d127

SHA1
4db7e2e882f70ba93e9d7df50ddb566e50aed917

SHA256
5e8515f4f4a0ef6c6a02d2fb0aae8f42e44389bb2470ac909c3ef7ea935086e4

SHA512
0d5f60aea7784db43a1b19338a9c95692df052c1da3d568c364b31c6c14e1b7031591e00699a2c1510846be36fbbe04c7af0b6131273e61c099ccab202f3fea7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
774KB

MD5
ddff011e7c09f3184f5c9f73952346bf

SHA1
d34d984096c2170f439f65a56e082cdb7d6ba549

SHA256
3844ff76dec14e301de07df142b246bee94fe02f863c5d03d4ee2db24b724874

SHA512
3ad71538770440ae67e9277f93bf3fb5be621937df46c9bdbe5169737090e29966bf18254aa49cf1c2c8f56d28e8856b6c5093c46bc3f22eb565e61dd78ff194

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
40KB

MD5
661490dcbb1202797179dad443b82e70

SHA1
afee4795accb5474870f2cbd74a2126f77564db2

SHA256
d2fdc193e9de3c6b880b7373d2c1bb0cad5090fed106456a2a093e71b3d74ce1

SHA512
dfe4183a7d80a4def2073d4a25ebea7e930887e099f3c7f5b215839bb78aa5e7c5b63bd8a50d788514bcd9036206035b28b0dd46452c36187f60ef5849c549ef

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
7bcfdd09e508e09e10e58dee5ad197a9

SHA1
c2462831d40a94fa3d4756da7f6d988d8c6d314e

SHA256
c47901085baea1fccd645db0cdf86918a15d3b670f0356aa0450aff3650f88aa

SHA512
e74974bace33188cbb6c240ce7826d19eaf40d3325646470227ebb9641d5c7e5311c69d2c5cf2f70c03415701f71a38ed75033ec058d212906ed566a8839df5d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5d7a7216560c1e5f2e8f5d32045e382d

SHA1
f7fc24b41b65573e04036ed69c4d99d9737513f8

SHA256
3cb65c17a9e5de93e3ee9d4773f0242767606b4e1bcaa212f2af6956eec1d09b

SHA512
85b1125e100314d2c31a1ce1500eeeea519c4bd3e1a00aa72b11af3d20a0be8db4200bc3bdb4f55bebd8e91de6671d29cbb90a8d5e1aa7967d1544b112acdf24

Download Submit
C:\Windows\System32\Locator.exe

Filesize
422KB

MD5
937429d455bec0c7c052765b87aa471f

SHA1
d087cd0f4668c04cec613ad2883bba99545346c8

SHA256
ec5dda1bdfc5933d62dd25f36179b35caa0f17a2f7a4f1933307aaea2c18a037

SHA512
b084aa1c2dd44fb6dbab96a2d28528b166616b8817eb07a54fda2cd69cf966e99001054d57eec55028c5e5eaf8620036d2213b419faba3b895308d92eb5c5c98

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
505KB

MD5
c1424a3585ff85481713bd6d9c855fff

SHA1
7bfa1b5f3a7afead586a187b155a03bb7c393511

SHA256
fb04e9035c257113c9bf40fcb9c9c48de78f8dc743aeaae5edd4a3e1774e674c

SHA512
e9ef8f59c08d060cb862e2781dbe46a0a2bc91d8ed0cda5359c3655fa184e02c35dd251fbf93763e24b8648e8af401291a255e1efdfdc11c989e41d2de2b4fbe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
33KB

MD5
b296094fe6484e3dd9eb8cc0edea95f4

SHA1
9a433a68690efb04c7008521df74823490019315

SHA256
839ec21a2407ee1d0e49dde3feff99da1e38bca27d8bbd8fbd09bbadd3b1be2a

SHA512
553c5f0c0f8eeacef0026bac9d92497b813a013750827c014d5da60b0413b723aaad7af0df0e383a49173c6f465281b25cfb7e1128f2186ef17c7e2668e748fe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
535da5f6c298943df8c25c46c5b2f2f5

SHA1
01433b644e8cf53e302b932d5db583236b84ed49

SHA256
41ad065a91b8b85717bb422b24b4b064c1dc2706ab2c8fcb677f9c1f852c0092

SHA512
3d19b476dbec8f7e80a46feb8e327335dc16d069cd81abcb58d6ee5eaa73e803134727989f021bc6da39e963ec6a15510bc86050e017e440ebd3712696e6d813

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
58KB

MD5
777d8f325c47f3a7ccb57bee9f172bd6

SHA1
b34d37ff194355817df3922bfe41339c220d61fc

SHA256
3a5e763780359fc78ce475bc99d2eb581593b64a4792e5f613c1c460368aa4c0

SHA512
3fdbc140b43af0f2c3d4a27e9e5afb98bdb9907a9113af61bcc5c91362f1eaa43ce9db3ea79f85140febc6437eaaa8782129fe8b6116db9a58bbd0aefa3e09ba

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
143KB

MD5
0d0f452b4cad9263d277f14d2c4977bd

SHA1
2d8b128c769755b3faa0f4cbb8cb7d6665936dea

SHA256
b956669cd2ef69951c05048c6738074bbec5ec26f5b0d9701559598b6932aa19

SHA512
256796f5034790047f700752c9c0a96b4ca1cda7a8011096106f257393a4194852c20ed3906e60b01aefdb8abd2144bb16831457cfc606583c8239128e833770

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
457KB

MD5
ba28ab0bdd874efb283e4618716ca8b2

SHA1
5c8eb1ecd3eb36cb500c9906d87e303dcd48c498

SHA256
f9dd4d44e76422b2a468e68030c990854797acba625dc4d747767d78c6453353

SHA512
c57588b5be647e9b6c9e5b30676d82582729ccc1db258629d55dad4abe6496828a301e16b53f208786db5ba4ba71dbf0018b1c0ebe360411de5697fbd7599c19

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
400KB

MD5
4b16ed2c3c4d8037768d29f89a9c60ae

SHA1
16d9e15ad70dab3744672837f58ed9cf16602236

SHA256
ae5d2fc93d7af569d3ea6c8b67fbf0a58404846e4033305e4647f37518ee7d23

SHA512
bae40e2d267a7b523ee025c532cc1b6f680d37dc0be8e677c30ff1bf18df2a10d839ec0dcc4e370be4efb21f12912c1a9e2b9046c763f7e944fb77bcb291046c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
125KB

MD5
6af8df9914ab2a2ff91622b2f95f407f

SHA1
9781157227127e9e3ab577b18e316e906f9ceedd

SHA256
33e1f6df7b810ea862176c3d681261115792baa3a1734633cdf799e4c3cf80cd

SHA512
c2edd03f35180f167b3f04c1d4facc82dcbd06e0c666bc6075c21040370adf6ced7d309f04f4cd992fe8cb82a368591449e7f7f15d054ec072a90e95d8af8fcc

Download Submit
C:\Windows\System32\alg.exe

Filesize
64KB

MD5
f92d90cc2ca45cd4de6049cdcbda511d

SHA1
7cf84761c6ba72b03fc00af3d2357556d7546e5e

SHA256
08131ecac8ca007312a6712200e47299724d9f2ec3dff8a43a3e24a487156b65

SHA512
64251d52e4c840a0e8c7ec31bf16da7b811368b4064d9ce5496290fa42eba9326f2037c5f68998579ae1fc2d1ba0d45dc10146afa934aef1476ee7166c336db7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
708fae5e07fe96d6988a4d1c18521d7b

SHA1
2559593e5b2d254ca145690e3affb31127e8da4a

SHA256
d32171ba571c87ea7198b6714deb419ff5be4e2dde037adade46da812b8c0534

SHA512
ac8f358c0d0b645cb40d3447267c8b1069f02d206e1995765aee63ef8ad3f64d5bea7278debd9e6d57a4299e6c4a719367a642aa76dac0eef595abea6fce961e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
627KB

MD5
b9192391363e5fefc123d4911e3d0345

SHA1
2290a855781680ada59724b2a8c1ccba7492a3fb

SHA256
e4eb055d9b03474b2229d0b2ceb28e558ac64549359cc2c801193f4b1b5974d0

SHA512
5460e62b159c69acb1538d6979c313dd22453f57d851fb139cdd078d6d48cf009a84998e47f759cd97e61d238d692dab39b7a522d37364082480409661053ed9

Download Submit
C:\Windows\System32\vds.exe

Filesize
226KB

MD5
59f0ef572b7d061bb000eab8602d62c9

SHA1
48c63ce1d830493eb0c3cdd67e7b811253837976

SHA256
1c09554023a34c31589466e4077a6d600bb7cd57c2548ee16250e51782d1b065

SHA512
0e47e1792acb2ae6adef0b8e8d4de1343ac364c6dd574593ac496d30d7beeeb77c134938dc9e5269ec4cda526d76307e48de0d7c2384395d6887b06919baead6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
67KB

MD5
a4211b4c13fd8476b641a118276c390d

SHA1
cc694d54332ced207e76ffe474f870460cf98935

SHA256
b0debb0486c09901c905e7a73f289d156f5474d28598f7d18101e6f7afdeacfd

SHA512
ce68c5f7cdaec8a3ec76b1cc1dccc552c6f9bb1f8094e2bff52c19da73181c1819cad51d3587e9a7a8aeb4900fe5ce5e21db16e6b685d7fe34fc19a3a15cd55c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
68KB

MD5
1062dd7f041319c13d962cf9271ab14a

SHA1
c6f81e2e1fddb25a82b7653c4b69fb826263ac10

SHA256
e8a32ab89485a5b186deaa6be68b2b03df29de4d78ebdefd41f762575cd99e01

SHA512
73d8f9423f01d8120e61f22edd605ab6a984375851490902eab78a986401c482726a66c8dca86694cabe41977c0170fbf8d96edbcbaa88984f91d94fdf600218

Download Submit
C:\odt\office2016setup.exe

Filesize
81KB

MD5
c5c4c66f9b4c3d785d51afc2dba8f65f

SHA1
97a1786c4477de234b701e6ae87f00e3b91d4a94

SHA256
d809bd0c1b80a4824a322d1634bfdf1637faf3ffd7d187f91f4a0c22fb2eb0ec

SHA512
56798ad19f1199cf8b4e6da0e1cec77b079fe698806494c8a9f4dbe1765d923f2fe5f70b50cec08e9c963d7c1d537ebe817abd2ab2e5378aac6902f3016e7511

Download Submit
memory/1036-453-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1036-445-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1396-344-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1396-338-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1396-404-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1648-467-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/1648-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1996-38-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1996-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1996-37-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1996-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2220-430-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2220-371-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2220-365-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2404-413-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2404-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2404-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-295-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2452-287-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2452-348-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2612-271-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-273-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2612-254-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2612-262-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3020-389-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3020-330-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3020-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3300-33-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3300-25-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3300-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3300-233-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3612-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3612-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3612-226-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3612-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3832-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3832-427-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3952-399-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3952-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3952-403-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4148-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4148-16-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/4148-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4148-6-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4352-309-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4352-249-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4352-242-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4352-243-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4472-48-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4472-62-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4472-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4472-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4472-49-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4612-64-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4612-237-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4612-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4612-65-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4696-440-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4696-432-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4840-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4840-279-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4840-336-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4868-306-0x0000000000810000-0x0000000000877000-memory.dmp

Filesize
412KB

Download
memory/4868-299-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4868-362-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4892-319-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4892-375-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4892-311-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4928-443-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4928-385-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4928-377-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4960-551-0x000001F3D9930000-0x000001F3D9940000-memory.dmp

Filesize
64KB

Download
memory/4960-550-0x000001F3D9920000-0x000001F3D9930000-memory.dmp

Filesize
64KB

Download
memory/4960-552-0x000001F3D9920000-0x000001F3D9930000-memory.dmp

Filesize
64KB

Download
memory/5116-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-357-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5116-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download